mercredi 6 juin 2018

Capillary is an open source library to help developers implement end-to-end encryption for push notifications

If you’re a developer that implements push notifications in your app and you or your users care about data privacy, then it’s important that you transmit these push messages securely. For those of you who are already into data security, then implementing strong encryption measures is a no-brainer. For others, it’s a difficult feature to implement. Google’s Firebase Cloud Messaging (FCM) pushes messages over TLS so you can send your messages securely through Google’s servers, but by doing so you aren’t meeting the gold standard which is end-to-end encryption. Without end-to-end encryption, a theoretical third party could compromise the data; with it, only the end user’s device can decrypt the data. Implementing E2E encryption can be difficult for new developers, so that’s why Google is introducing Project Capillary. It is an open-source library that facilitates implementing E2E encryption between developers’ servers and clients’ devices.

With the Capillary library, the first step is done by the client device: generating a key pair. Then, the public key has to be registered with the developer’s server. The developer’s server will send push notifications encrypted with the public key through a push messaging service like FCM. The service then sends that message to the client which decrypts the message using the private key.

Capillary is backward compatible with API level 19, so it can be used on any device running Android KitKat or later. The library also includes some integrity protection measures to prevent message modification and takes device resetting measures into account. Capillary is NOT designed to implement E2E-encryption between two devices. This won’t help you make a secure messaging app!

Check out the Capillary open-source library at the link below. Keep in mind that, depending on your server’s architecture, you may need to make some manual adaptations. It’s nice of Google to make developers’ lives easier by providing necessary tools and libraries.